Cyber attacks, pandemics and electromagnetic disturbances are the three top “high impact” risks to the U.S. and Canadian power-generation grids, according to a report from the North American Electric Reliability Corp. (NERC).

“The specific concern with respect to these threats is the targeting of multiple key nodes in the system, if damaged, destroyed or interrupted in a coordinated fashion, could bring the system outside the protection provided by traditional planning and operating criteria,” states the report, “High-Impact, Low-Frequency Risk to the North American Bulk Power System.”

The contents of the 118-page report are largely the result of closed-door discussions held since November by NERC (which plays a key role in setting security standards for the U.S. power grid), power providers and U.S. government officials.

The report, which calls for better coordination between U.S. power-grid providers and the government, sets the stage for what may be new guidelines and processes required to combat the major threats identified, according to NERC officials.

China on Tuesday denied any role in alleged cyberattacks on Indian government offices, calling China itself the biggest victim of hackers.When asked about Google’s (GOOG) allegation that cyberattacks launched from China hit the U.S. search giant, foreign ministry spokesman Ma Zhaoxu said Chinese companies were also often hit by cyberattacks.

“China is the biggest victim of hacking attacks,” Ma said, citing the example of top Chinese search engine Baidu.com being hacked last week.

U.S. Must Focus on Protecting Critical Computer Networks from Cyber Attack

Because it will be difficult to prevent cyber attacks on critical civilian and military computer networks by threatening to punish attackers, the United States must focus its efforts on defending these networks from cyber attack, according to a new RAND Corporation study.

The study finds that the United States and other nations that rely on externally accessible computer networks—such as ones used for electric power, telephone service, banking, and military command and control—as a foundation for their military and economic power are subject to cyber attack.

“Adversaries in future wars are likely to go after each other’s information systems using computer hacking,” said Martin C. Libicki, the report’s lead author and senior management scientist at RAND, a nonprofit research organization. “The lessons from traditional warfare cannot be adapted to apply to attacks on computer networks. Cyberspace must be addressed in its own terms.”

Working against connected but weakly protected computer systems, hackers can steal information, make the systems malfunction by sending them false commands and corrupt the systems with bogus information.

In most instances, the damage from cyber attacks is temporary and repeated attacks lead the victim to develop systems that are more difficult to penetrate. The RAND study finds that military cyber attacks are most effective when part of a specific combat operation—such as silencing a surface-to-air missile system protecting an important target—rather than as part of a core element in a long, drawn out military or strategic campaign.

Libicki says it is difficult to determine how destructive a cyber attack would be. Damage estimates from recent cyber attacks within the United States range from a few billion dollars to hundreds of billions of dollars a year.

The study indicates that cyber warfare is ambiguous, and that it is rarely clear what attacks can damage deliberately or collaterally, or even determine afterward what damage was done. The identity of the attacker may be little more than guesswork, which makes it hard to know when someone has stopped attacking. The cyber attacker’s motivation, especially outside physical combat, may be equally unclear.

The weapons of cyber war are amorphous, which eliminates using traditional approaches to arms control. Because military networks mostly use the same hardware and software as civilian networks, they have similar vulnerabilities.

“This is not an enterprise where means and ends can be calibrated to one another,” Libicki said. “As a result, it is ill-suited for strategic warfare.”

Because offensive cyber warfare is more useful in bothering, but not disarming, an adversary, Libicki does not recommend the United States make strategic cyber warfare a priority investment. He says similar caution is needed for deterring cyber warfare attacks, as it is difficult to attribute a given attack to a specific adversary, and the lack of an ability to counterattack is a significant barrier.

Instead, Libicki says the United States may first want to pursue diplomatic, economic and prosecutorial efforts against cyber attackers.

There is no kill switch for the Internet, no secret on-off button in an Oval Office drawer.

Yet when a Senate committee was exploring ways to secure computer networks, a provision to give the president the power to shut down Internet traffic to compromised Web sites in an emergency set off alarms.

Corporate leaders and privacy advocates quickly objected, saying the government must not seize control of the Internet.

Lawmakers dropped it, but the debate rages on. How much control should federal authorities have over the Web in a crisis? How much should be left to the private sector? It does own and operate at least 80 percent of the Internet and argues it can do a better job.

“We need to prepare for that digital disaster,” said Melissa Hathaway, the former White House cybersecurity adviser. “We need a system to identify, isolate and respond to cyberattacks at the speed of light.”

So far at least 18 bills have been introduced as Congress works carefully to give federal authorities the power to protect the country in the event of a massive cyberattack. Lawmakers do not want to violate personal and corporate privacy or squelching innovation. All involved acknowledge it isn’t going to be easy.

Greater transparency needed in development of US policy on cyberattack

WASHINGTON — The current policy and legal framework regulating use of cyberattack by the United States is ill-formed, undeveloped, and highly uncertain, says a new report from the National Research Council. The United States should establish clear national policy on the use of cyberattack, while also continuing to develop its technological capabilities in this area. The U.S. policy should be informed by open national debate on the technological, policy, legal, and ethical issues of cyberwarfare, said the committee that wrote the report.

“Cyberattack is too important a subject for the nation to be discussed only behind closed doors,” said Adm. William Owens, former vice chairman of the Joint Chiefs of Staff and former vice chairman and CEO of Nortel Corp., and Kenneth Dam, Max Pam Professor Emeritus of American and Foreign Law at the University of Chicago School of Law, who co-chaired the committee.

Cyberattacks — actions taken against computer systems or networks — are often complex to plan and execute but relatively inexpensive, and the technology needed is widely available. Defenses against such attacks are discussed, but questions on the potential for, and the ramifications of, the United States’ use of cyberattack as a component of its military and intelligence arsenal have not been the subject of much public debate. Although the policy and organizational issues raised by the use of cyberattack are significant, the report says, “neither government nor society at large is organized or prepared to handle issues related to cyberattack, let alone to make broadly informed decisions.”

The U.S. could use cyberattack either defensively, in response to a cyberattack from another nation, or offensively to support military missions or covert actions, the report says. Deterring such attacks against the U.S. with the threat of an in-kind response has limited applicability, however; cyberattacks can be conducted anonymously or falsely attributed to another party relatively easily, making it difficult to reliably identify the originator of the attack.

Employing a cyberattack carries with it some implications that are unlike those associated with traditional physical warfare, the report says. The outcome is likely to be more uncertain, and there may be substantial impact on the private sector, which owns and operates much of the infrastructure through which the U.S. would conduct a cyberattack. The scale of such an attack can be enormous and difficult to localize. “Blowback” to the U.S. — effects on our own network systems — is possible.

Clear national policy regarding the use of cyberattack should be developed through open debate within the U.S. government and diplomatic discussion with other nations, the report says. The U.S. policy should make it clear why, when, and how a cyberattack would be authorized, and require a periodic accounting of any attacks that are conducted, to be made available to the executive branch and to Congress.

From a legal perspective, cyberattack should be judged by its effects rather than the method of attack; cyberwarfare should not be judged less harshly than physical warfare simply by virtue of the weapons employed. The Law of Armed Conflict (LOAC), an international law regulating conduct during war, should apply to cyberattack. However, there are aspects of cyberwarfare that will not fit neatly within this structure. LOAC was designed to regulate conflict between nations, but cyberweapons can easily be used by non-state groups, making issues such as determining appropriate targets for military retaliation difficult to address. Additional legal constructs will be needed to govern cyberattacks, and the framework of LOAC and the U.N. Charter on the use of armed force would be an appropriate starting point, the report says.

###

This study was sponsored by the MacArthur Foundation, Microsoft Corp., and the National Research Council. The National Academy of Sciences, National Academy of Engineering, Institute of Medicine, and National Research Council make up the National Academies. They are private, nonprofit institutions that provide science, technology, and health policy advice under a congressional charter. The Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering. A committee roster follows.

Copies of TECHNOLOGY, POLICY, LAW, AND ETHICS REGARDING U.S. ACQUISITION AND USE OF CYBERATTACK CAPABILITIES are available from the National Academies on the Internet at HTTP://WWW.NAP.EDU.